The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been named a Top-Level Root CVE Numbering Authority (CNA) and it will be overseeing CNAs that assign CVE identifiers for vulnerabilities in industrial control systems (ICS) and medical devices.
CNAs are responsible for issuing CVE identifiers for vulnerabilities found in their own or third-party products. A Top-Level Root CNA can not only assign CVEs, but it’s also tasked with managing CNAs in a specific domain or community.
In CISA’s case, it will be in charge of ICS and medical device vendors that are CNAs. Specifically, CISA will ensure that CVE identifiers are assigned properly, it will implement rules and guidelines of the CVE Program, it will resolve disputes, and it will recruit new CNAs.
Initially, CISA will oversee seven CNAs, including Alias Robotics, ABB, [email protected], Johnson Controls, Bosch, Siemens and Gallagher Group.
“Establishing CISA as a Top-Level Root consolidates the vast expertise required to effectively assign CVE IDs to ICS and medical device vulnerabilities and enables the rapid identification and resolution of issues specific to those environments,” said CISA and MITRE.
They added, “As the Nation’s risk advisor, CISA serves the unique role as a trusted information broker across a diverse set of public and private stakeholders. In this role, CISA fosters increased information sharing to help these stakeholders make more informed decisions to better understand and manage risk from cyber and physical threats.”
Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
CISA and MITRE are the only Top-Level Root CNAs, while Japan’s JPCERT/CC is a Root CNA.
According to MITRE, there are currently 139 CNAs across 24 countries. One of the latest additions is OT and IoT security solutions provider Nozomi Networks, which can assign CVEs to flaws found in its own products and third-party industrial and IoT products that are not covered by a different CNA.
Related: GitHub Becomes CVE Numbering Authority, Acquires Semmle
Related: Rapid7 Appointed CVE Numbering Authority
Related: SAP Becomes CVE Numbering Authority